Microsoft Forefront TMG - Use Network Template

In this tutorial we will show you how to use Network Template, how to create additional networks and how to customize Forefront TMG network settings.

Begin

Forefront TMG uses a ' multi networking ' concept. To define your network topology, we first need to create networks in Forefront TMG. After having all the necessary networks; We need to create relationships for these networks together as network rules. Forefront TMG supports two types of network rules:

Route - This is the type that will establish a two-way network connection between the two networks, which will route the original IP addresses between the two networks.

NAT - This is the only one way to establish a network connection between two networks, which will hide IP addresses in network segments with the IP address of the corresponding network adapter.

After creating networks and rules for the network, you must create firewall rules to allow or deny traffic between the connected networks.

Network template

To make it easier to configure Forefront TMG, TMG provides pre-designed templates (network templates) to enable the creation of typical Firewall scripts. You can completely change the network design after the initial installation. Here all you need to do is launch the Getting Started Wizard in the TMG Management management interface. The following figure shows the Launch Getting Started Wizard location.

Configure network settings

The Launch Getting Started Wizard allows you to select the required network template. Forefront TMG gives you up to 4 network templates:

Edge Firewall

Edge Firewall template is an old network template and connects the internal network to the Internet, protected by Forefront TMG. A typical Edge Firewall template requires at least two network adapters on Forefront TMG Server.

3-Leg Perimeter

3-Leg Perimeter Firewall is a Forefront TMG Server with three or more network adapters. A network adapter connects an internal network, a network adapter connects to an external network and a network adapter connects to DMZ (Demilitarized Zone), also called Perimeter Network. The Perimeter Network includes services, so it should be accessible from the Internet but also protected by Forefront TMG. Typical services in a DMZ are Web Server, DNS Server or WLAN network. A 3-Leg Perimeter Firewall is also often called 'Poor Man's Firewall', it is not a 'true' DMZ. A true DMZ is the area between two different Firewalls.

Backfirewall

Back Firewall template can be used by Forefront TMG Administrator, when Forefront TMG is located behind Front Firewall. The Back firewall will protect the internal network for access from the DMZ and the external network, it can control the traffic allowed from the computers in the DMZ and from Front Firewall.

Note : Forefront TMG does not have the associated Front Firewall network template

Single Network Adapter

Single Network Adapter template has some limitations because a Forefront TMG server with only one network interface cannot be used as a real Firewall, so many services follow that without. It only has the following features:

Next step, select the network adapter that will be used for this network template. In this example, we used the Edge Firewall template so that you have to choose which network adapter connects to the LAN and which network adapter connects to the external network (untrusted network).

In Forefront TMG, you can now specify additional network routes with the UI without using the Route add command from the command line. The following figure shows the default networks created by Microsoft Forefront TMG installation. Only internal networks have the option to configure the IP address range.

Forefront TMG has several associated network rules, which define relationships between networks.

Another new problem in Microsoft Forefront TMG is the ability to define some basic network adapter settings such as IP address, Default Gateway and, etc.

The figure below shows the configuration options for the network adapter.

With Forefront TMG, you can create new network routes through the TMG Management interface.

The figure below shows an example of creating a route for a new network.

New networks in TMG

It is possible to create additional networks in Forefront TMG. Forefront TMG has a wizard for creating new networks.

New networks can be created for different regions. For example, it is possible to create a new network for an additional DMZ on Microsoft Forefront TMG.

Specify the range of IP addresses for new networks.

After creating a new network, you must either link the new network to an existing network rule or you can create a new one from Route or NAT.

Export and import network definitions

It is possible to export Forefront TMG networks or network settings to some XML file with the Forefront TMG import and export feature.

Conclude

In this article, I have introduced you to an overview of how to use networks, network templates, and rules in Forefront TMG to give you a network topology. As you can see from the article, it is possible to easily create a network topology with the help of network templates. Forefront TMG has some pretty useful improvements related to network configuration. It is a great feature and allows TMG administrators to create network routes through the TMG Management console and can configure some basic IP address settings with the TMG console. Most other settings remain unchanged compared to Microsoft ISA Server 2006.